[jbossws-commits] JBossWS SVN: r8959 - stack/native/trunk/modules/core/src/main/java/org/jboss/ws/core/server.

Author: mageshbk(a)jboss.com Date: 2009-01-05 07:37:16 -0500 (Mon, 05 Jan 2009) New Revision: 8959 Modified: stack/native/trunk/modules/core/src/main/java/org/jboss/ws/core/server/WSDLRequestHandler.java Log: [JBWS-2437] WSDL access url with resource suffix allows any arbitrary xml file to be viewed Modified: stack/native/trunk/modules/core/src/main/java/org/jboss/ws/core/server/WSDLRequestHandler.java =================================================================== --- stack/native/trunk/modules/core/src/main/java/org/jboss/ws/core/server/WSDLRequestHandler.java 2008-12-23 16:04:54 UTC (rev 8958) +++ stack/native/trunk/modules/core/src/main/java/org/jboss/ws/core/server/WSDLRequestHandler.java 2009-01-05 12:37:16 UTC (rev 8959) @@ -85,11 +85,22 @@ // get some imported resource else { - String impResourcePath = new File(wsdlLocation.getPath()).getParent() + File.separatorChar + resPath; + File wsdlLocFile = new File(wsdlLocation.getPath()); + String impResourcePath = wsdlLocFile.getParent() + File.separatorChar + resPath; File impResourceFile = new File(impResourcePath); + String wsdlPublishLoc = epMetaData.getServiceMetaData().getWsdlPublishLocation(); - Element wsdlElement = DOMUtils.parse(impResourceFile.toURL().openStream()); - wsdlDoc = wsdlElement.getOwnerDocument(); + if (impResourceFile.getCanonicalPath().indexOf(wsdlLocFile.getParentFile().getCanonicalPath()) >= 0 + || (wsdlPublishLoc != null + && impResourceFile.getCanonicalPath().indexOf(new File(new URL(wsdlPublishLoc).getPath()).getCanonicalPath()) >= 0)) + { + Element wsdlElement = DOMUtils.parse(impResourceFile.toURL().openStream()); + wsdlDoc = wsdlElement.getOwnerDocument(); + } + else + { + throw new IOException("Access to this resource is not allowed"); + } } modifyAddressReferences(reqURL, wsdlHost, resPath, wsdlDoc.getDocumentElement());